The GRC Pundit

Challenges in Risk Management

The GRC Pundit BlogPublished onUpdated on1 Comment on Challenges in Risk Management

Providing 360° Contextual Awareness of Risk

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management: 

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.

Fritjof Capra

Capra’s point is that biological ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. Consider the interconnectedness of a cycle of risk in the context of a draught and a forest fire. A drought increases the risk of a forest fire. If a fire should start this further contaminates the water as a byproduct of the fire. As the forest regrows it further reduces the water supply to sustain this growth which could cause more drought conditions.

This is true in risk management. What complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes can leave the organization with fragments of truth that fail to see the big picture of performance, risk, and controls across the enterprise, as well as how it supports their strategy and objectives. The organization has to have holistic visibility and 360° contextual awareness into risk relationships across the enterprise. Complexity of business and intricacy, and interconnectedness of risk data, requires that the organization implement a risk management strategy.

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision- making, and objectives. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in inevitable failure of risk management, providing case studies for future generations on how poor risk management leads to the demise of organizations – even those with strong brands. 

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout all levels of the business. This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively.

Risk management in the modern organization is:

  • Distributed.Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic.Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
  • Disrupted.The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
  • Accountable.There is growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution. Furthermore, regulations that are increasing personal liability within these roles, such as the UK Senior Managers and Certification Regime (among other similar regulations), put an emphasis on business leaders taking greater interest and accountability for risk, control, and compliance.

Understanding the Interrelationship of Risk and its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches that get in the way of sharing data. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and continue to build as organizations develop operational and enterprise risk management strategies that span these departments. 

For some organizations, risk management is only an expanded view of routine financial controls, resulting in nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk aligned with strategy and objectives. Completing a risk assessment process and ticking the box has got in the way of true risk analysis and understanding. 

Risk management is about the risk of not achieving objectives, therefore making the ability to link and measure risk to strategic objectives critical; as is monitoring performance against those objectives. The outcome of this is improved decision-making, better return on investment across the business, improved profitability, and a better customer experience.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge to achieving this. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk. This is due to the fact that it intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and decision- making, business strategy, objectives, and performance. Risk accountability is frequently distributed across different board level owners. Today it is critical that these roles are all working off the same data and that this risk data is clean, reliable, and timely.

It can be bewildering to make sense of risk management and its varying factions across strategic, financial, credit, market, conduct, operational, project, legal, regulatory, third-party, strategic, insurance, and hazard risks. It makes enterprise and operational risk management a challenge if a risk management strategy forces everyone into one flat view of risk, confirming to have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting. This is exponentially compounded when risk velocity is considered: when risk materializes into an event it moves very quickly. Are organizations agile enough to react?

The Risk Central Nervous System

Organizations need to develop a risk management capability aligned with strategy, performance, and objectives that operate as a risk central nervous system. Consider the following from Steve Balmer:

If you think of the human body, what does our nervous system let us do? It lets us hear, see, take input. It lets us think, analyze, and plan. It lets us make decisions and communicate and take action. Every company has a nervous system: companies take inputs, they think, they plan, they communicate, they take action.

Steve Balmer, former CEO Microsoft

A nervous system connects with other major systems of the body, and provides among others analytical capability, strategic thinking, and quick response to the environment. 

In the same context, organizations need a command and control hub that provides the analytical capability to measure and monitor a connected view of risk across:

  • Strategy
  • Operations
  • Compliance & Regulatory
  • Reputational
  • Conduct
  • Market
  • Insurance
  • Credit
  • Liquidity

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events. The demand is for predictive analytics to extract from this mass amount of data what exactly will help to prevent future significant losses, events, as well as incidents, and further help strategic business objectives succeed.

This means enabling a federated and connected view of risk that leverages artificial intelligence, machine learning, and robotic process automation to make the risk management process more efficient, effective, and agile. This in turn enables organizations to spend more time focusing on the analysis of risk in the context of the organization, its strategy, and objectives. Technology makes it easier to share data, while still maintaining independence of thought and action across the organization. 

In light of this, organizations should consider: 

  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance, and meet its strategic objectives? 
  • Which objectives could fail as a result of current risks?
  • How does the organization make the right business decisions?
  • What impact does risk have on products and services? 
  • What is the impact or potential impact on customers?
  • Do businesses understand the interrelationships and correlations between risks? 
  • Does the organization understand the relationships generally between cause and effect, processes, end-to-end process flows, and products and services? 
  • Does the organization understand the risk exposure to each individual objective or process, and how it interrelates with other risks to aggregate into an enterprise perspective of risk? 
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels? 
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities? 
  • Does the organization monitor key risk indicators across critical projects and processes? 
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from: 

  • The external perspective.Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources. 
  • The internal perspective.Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points. 

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their own view of risk. This can then roll into enterprise and operational risk management and reporting that supports business objectives while being integrated with decision-making processes. This can be done through a common risk management strategy, process, information, and technology architecture that supports overall risk management activities from the process level up through an enterprise view. 

Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of risk management needs for today, and into tomorrow. 

Upcoming Risk Management Webinar Series

The Evolution of Risk: Impacting Change Across the Organization

Upcoming Risk Management by Design Workshops

Other GRC 20/20 by Design Workshops

How Analytics is Influencing Governance, Risk Management & Compliance (GRC)

The GRC Pundit BlogPublished onUpdated onLeave a Comment on How Analytics is Influencing Governance, Risk Management & Compliance (GRC)

Humans excel at analytics; it is the way our brains are wired. We are constantly taking in information, processing, analyzing, and making decisions. Whether it is crossing a street, reading a book, watching a show, being a spectator or a participant at a sporting event . . . we are constantly analyzing everything around us.

The challenge is that we can be throttled and slowed down in analysis. This is particularly true in a Governance, Risk Management, and Compliance (GRC) context. The official definition of GRC is that it is “a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” To achieve GRC means that GRC roles and functions have to take in a massive amount of information, process it, align it in context, and make decisions.

Historically, we have done this manually. A lot of manual information gathering, processing, and reporting. Documents, spreadsheets, and emails were the backbone of this process. I was recently talking to one organization that was spending 200 employee hours building one report on GRC for the board of directors. They were combing through stockpiles of documents, spreadsheets, and emails gathering, calculating, and documenting information. This is not agile in today’s dynamic, distributed, disrupted business environment. We need GRC context quickly and efficiently. We need information to make the organization agile in a dynamic risk environment.

GRC related technologies have provided great benefit in automating . . .

[this is continued as a guest blog written by GRC 20/20 Research on the IsoMetrix Blog]
READ MORE

Next Generation Policy & Training Management Technology

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Next Generation Policy & Training Management Technology

GRC 20/20 interacts with a lot of organizations as they evaluate solutions for policy and training management. As the only analyst firm that breaks this functionality out as its own segment of the broad Governance, Risk Management, and Compliance market, we have identified over 100 solutions that do policy and training management. Many of these are very niche and just focus on policies in a specific department or a specific industry, while several are what can be implemented for a consistent enterprise policy management program across the organization.

With an RFP requirement database of over 200 requirements for policy management solutions/platforms, GRC 20/20 breaks the market into basic, competitive, and advanced solutions. Interactions have included working with organizations of all sizes to assist them in their policy management RFPs. This includes a global organization that engaged GRC 20/20 for our RFP requirements in enterprise policy management to evaluate solutions to manage policies in 8 languages to over 160,000 employees across the organization. I have recently been interacting with one global bank as they build their business case for enterprise policy management and look to move forward with an RFP. But interactions also include inquiries with small and mid-sized organizations looking for policy management solutions.

I bring this experience to the table to provide background on the breadth of involvement of GRC 20/20 Research in policy and training management solutions available in the market. The reason is that I want to highlight some of the drivers and trends on how this has changed and what I see organizations are looking for now in the next generation of policy and training management. These can be divided across the following three areas:

  • Back-office of policy management. Organizations are looking for that solution that enables the policy management lifecycle from the authoring, approval, communication plans, tracking, monitoring, metrics, and maintenance of policies. One of the key elements I see here that organization are looking for is the collaborative authoring environment. Organizations are looking for that next generation portal that allows multiple authors and editors to be in the document at the same time in a web interface. They want to move away from the document check in and check out approach as that is the old generation of technology and provide real-time collaboration and authoring/editing. There is also a need to manage policies in the context of regulatory change, particularly in financial services and integrate regulatory change and policy management processes. Organizations also desire the ability to manage exceptions, deviations, policy related form development and workflow (e.g., disclosures), and built communication and awareness campaigns on policies.
  • Front-office policy and training engagement. Organizations are looking for solutions that are highly intuitive, engaging, and interactive (see graphic above). They want to bring policy and training together into the same portal. Every month I get inquiries from organizations that say their users, particularly millennials, go out to Facebook and can watch a video in Facebook, they don’t have to go out too YouTube to watch a video. That is the way modern technology works and what the want in the next generation policy and training portal. to bring together policy and training/eLearning/LMS into the same portal. They also want portals that are mobile that work on tablets and smartphones. In fact, I have had conversations with several firms that want to use tablets as policy and training kiosks as the bulk of their employees do not have computers issued for work (e.g., retail, hospitality, manufacturing). Intuitive, engaging, and interactive experiences are essential for the policy portal.
  • Defensible compliance. One of the primary drivers for policy management solutions in the market is to provide a defensible system of record for all policy interactions from the back-office to the front-office. Regulatory challenges such as UK SMCR, US DOJ Guidelines, US Sentencing Commission Guidelines, US FCPA and more dictate that organizations have operational compliance that is more than paper and are driving compliance programs that include policy and training management. They need a record of activity on what policies were active at what time, who accessed policies, was trained on them, made aware of them. Documents, spreadsheets, and emails do not provide a defensible system of record and organizations are turning toward purpose built compliance and policy/training management platforms to provide this.

This is just scratching the surface on what organizations are looking for and considering in policy and training management solutions. There is a lot more, but this summarizes the general trends in three directions. The ultimate goal is to enable an organization of integrity that can demonstrate that values, ethics, commitments, and boundaries are clearly understood, communicated, and followed. And when they are not the organization takes action. Policies are critical governance documents that cannot be managed haphazardly.

Upcoming Policy Management Workshop

Key Research on Policy Management Strategy

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Step 3: Select the Right Equipment for the 3rd Party GRC Journey

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Step 3: Select the Right Equipment for the 3rd Party GRC Journey

This is the 3rd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.

Growing up in Northwest Montana I spent a lot of time in the outdoors. This led into a passion for rock climbing when I was in high school (a hobby I put aside for 25 years and am tempted to pick up again). Everything was something to climb. My friends and I would go into town late at night and climb buildings, I was in a climbing competition my senior year of high school, and then taught climbing in the Grand Tetons the summer after high school. Those were the days!

Climbing laid the foundation for me in evaluating GRC technology, and in the case of today’s topic 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC) solutions. You don’t throw everything into a backpack haphazardly and start a climb. When you are climbing both space and weight are critical. You need to understand what the journey is ahead of you from start to finish and select the right equipment for you to accomplish the task. This is true of 3rd Party GRC technologies, platforms, and solutions.

There are over 140 providers of various aspects of 3rd Party GRC. Some are very narrow and do a very specific thing (e.g., financial health/risk of 3rd parties, GDPR compliance, Conflict Minerals), while others provide a broad platform to manage an array of 3rd Party GRC needs and requirements. But even the broad platforms have differences. I have been fielding a number of complaints from organizations that find the 3rd Party Modules in their Enterprise GRC Platforms to be limiting as they only manage things at the relationship level but fail to get into the contract and service level agreements. A large bank may have a relationship with a service provider or outsourcers, but there may be 100 contracts/service level agreement tied to that one relationship. The bank needs to know that 89 of those contracts touch GDPR requirements. Or a manufacturer needs to know the individual materials and components and the traceability of those materials/components down through a nested supply chain. Some solutions do not go deep or broad enough.

Third Party GRC is often a module that fails in Enterprise GRC initiatives as organizations try to bundle everything into one platform. This can work with the right solution, but as these organizations move forward with their Enterprise GRC Platform they often find that the 3rd Party GRC module is limited and does not meet the requirements of managing the details of a relationship that are critical to the organizations . . . so they end up scrapping this module and go looking for a deeper solution that can meet their needs.

The right technology architecture enables the organization to effectively manage 3rd party performance and risk across extended business relationships, and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. There can and should be be a central core technology platform for 3rd Party GRC that connects the fabric of processes, information, and other technologies together across the organization. Many organizations see 3rd Party GRC initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email.Manual spreadsheet and document-centric processes are prone to failure, as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on – consuming valuable resources. The organization ends up spending more time in data management and reconciling, as opposed to active risk monitoring of extended business relationships. 
  • Point solutions.  Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP and procurement solutions.There is a range of solutions that are strong in the ERP and procurement space that have robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall 3rd party governance, risk management, and compliance, but these players have now started to look more at 3rd Party GRC.
  • Enterprise GRC platforms.Many of the leading enterprise GRC platforms have 3rd party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance, and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements, such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
  • Third Party GRC Platforms.These are solutions that are built for the breadth and depth of 3rd Party GRC. Some are fully focused on just 3rd Party GRC, while a few Enterprise GRC platforms have deeper capabilities than their peers. These solutions have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of 3rd party governance and management that includes performance of third parties, as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern 3rd party relationships throughout their lifecycle, and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

Successful 3rd Party GRC requires a robust and adaptable information architecture that can model the complexity of 3rd party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records.This includes data on the third party such as address, contact information, and bank/financial information.
  • Third party compliance requirements.Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries.Risks and controls to be mapped back to third parties.
  • Policies and procedures.The defined policies and procedures that are part of third party relationships.
  • Contracts.The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs.Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships, as well as aggregate sets of relationships.
  • Third party databases.The information connections to third party databases used for screening and due diligence purposes, such as sanction and watch lists, politically exposed person databases, cyber-security ratings, as well as financial performance or legal proceedings.
  • Transactions.The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms.The design and layout of information needed for third party forms and approvals.

The right third party technology architecture choice for an organization involves integration of several components into a core third party governance platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots, and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in. Some of the core capabilities organizations should consider in a third party governance platform are:

  • Internal integration.Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical. 
  • External integration.With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.  
  • Content, workflow, and task management.Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance. 
  • 360° contextual awareness.The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions, as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

It is critical that organizations closely understand the breadth and scope of 3rd Party GRC across the organization and define a strategy and process for what they want to accomplish now, as well as 3 to 5 years from now. It is then they can evaluate and consider the right features and functionality they need in a 3rd Party GRC.

Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

GRC 20/20’s 3rd Party GRC Research

Ask GRC 20/20 an inquiry on what 3rd Party GRC solutions available in the market and what differentiates them, this is what we do – research and analysis of technology for GRC . . . .

ASK INQUIRY ON 3rd PARTY GRC

GRC Behemoth vs Agile GRC

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GRC Behemoth vs Agile GRC

Outside of Governance, Risk Management & Compliance (GRC), my passion and interest is in British medieval history – from the Anglo-Saxon period through the Plantagenets and the War of the Roses. Nothing quite inspires like a good Anglo Saxon epic, particularly Beowulf. One of my favorite moments is when Beowulf goes up against the vicious monster Grendel. Grendel is a behemoth of a monster, devouring, imposing, and outright terrifying. Beowulf engages Grendel unarmed with no armor and defeats him in a vicious battle by tearing off the monster’s arm. The agility of Beowulf in a fight against a dominant and imposing behemoth reminds me of what is taking place in the context of GRC platforms and technologies in the market.

The Dominion of the GRC Behemoth

A few months back there was a LinkedIn post that described the song Hotel California as being a parable of an implementation of one GRC solution, that after $500 thousand in license, and $2 million in implementation, three years later it is ready to do something. This is something I am hearing every week from organizations that are frustrated with GRC Market Leaders that have significant cost of ownership and build out. Where an organization has to have certified experts make changes because of the complexity of the system and it may take months to see configuration changes implemented.

Several of my workshops this past year have had prominent organizations express their frustrations with established GRC Leaders in the market (note: I use the term GRC but these are also the same leaders Gartner has in their IRM Magic Quadrant). In reviewing RFPs GRC 20/20 has been involved in over the past two years, solutions that Gartner and Forrester consider a Leader, in their respective Magic Quadrants and Waves, have a ratio of software license to implementation of 1:3 to 1:5. That is for every dollar spent on software license in the first year an organization can expect to spend 3 to 5 dollars on configuration and build out. This is the configuration and build out, not management consulting costs for process design. Solutions that are outside the Leaders quadrant have a ration of about 1:0.5 to 1:2. While some of these GRC Leaders are working hard to rearchitect their solution to address this, it is opening the door to other solutions that have entered the market with highly agile solutions.

Era of Agile GRC

The reality is that GRC can be agile and not a behemoth of cost. There are a range of solutions in the market that are highly agile with ease of configuration and adaptability. This was illustrated at a user conference I was a keynote speaker at last year in Sydney, Australia (note: I am not naming names in this post as there are several agile solutions in the market and want to be fair to all, you can always ask me about these in inquiry). This is a young GRC solution provider who had their solution on the market less than a year and had 200 people at their conference (which is very impressive for a user conference in Sydney, let along a first user conference). After my keynote, they had a session in which they stated they would build a complete case/incident management module with forms, workflow, tasks, and reporting in else than an hour. To illustrate this further they had 2 bartenders up front with 200 cocktail glasses and said this fully functioning module will be complete before the bartenders finished pouring 200 drinks for the attendees. They did it.

GRC 20/20 is seeing a range of highly agile GRC related solutions in the market that have a significant return on value and low cost of ownership when contrasted to legacy GRC solutions that are often seen as the market leaders. This is forcing the market to adjust to consider highly agile solutions available to organizations as well as traditional market leaders to rearchitect their solutions to remain competitive.

I would love to hear your thoughts and experience . . .

Or you can also ask GRC 20/20 an inquiry on what Agile GRC solutions are the up and comers and what is changing with traditional market leaders so they can maintain their positions . . . .

ASK INQUIRY ON AGILE GRC

Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC

The GRC Pundit Blog, UncategorizedPublished onUpdated on1 Comment on Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC

This is the 2nd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.

With an understanding of where you are at and where you want to go with 3rd Party Governance, the next step is to make sure your team and systems are ready for the journey. The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC): 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in 3rd Party GRC. What further complicates this is the exponential effect of 3rd party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of 3rd party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives.

The organization needs to have holistic visibility and situational awareness into 3rd party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy. 

The primary directive of a mature 3rd Party GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of 3rd party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

Organizations need to ensure that the various departments and roles involved in governing 3rd party relationships are on board and willing to work together in a cohesive strategy. The goal is to provide the greatest balance in collaborative 3rd party governance and oversight to allow for some department/business function autonomy where needed, but focuses on a common governance model and alignment that the various groups in 3rd party governance utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

The goal is to have centralized 3rd party governance oversight to create consistent and aligned strategy with a common 3rd party governance process, information and technology architecture. Organizations with this collaborative approach report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk and compliance, and greater effectiveness through the ability to report and analyze 3rd party risk and compliance data. The goal should not only to manage risk and compliance, but to integrate 3rd party governance in the context of performance, objectives, and strategy in relationships.

To achieve the full benefits from an 3rd party GRC strategy, GRC 20/20 recommends the following next steps:

  • Gain executive support and sponsorship of the third party governance strategy.The organization needs to work in harmony on third party governance. Different groups doing their own thing handicap the business. Executive support is critical to align the organization.
  • Develop harmonized systems and processes. Key to success is identification of shared processes and information for 3rd party GRC across the enterprise. This includes identifying technology and information solutions to support integrated information and process architecture.

This team needs to be aligned to share a common vision to move to an integrated approach to 3rd party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships.

[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

GRC 20/20’s 3rd Party GRC Research

Step 1: Develop a 3rd Party GRC Strategic Plan

The GRC Pundit Blog, Third Party Management SolutionsPublished onUpdated on1 Comment on Step 1: Develop a 3rd Party GRC Strategic Plan

I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.

The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.

This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:

  • Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
  • Business/supplier continuity
  • Data privacy & protection (EU GDPR, California CCPA, information security)
  • Ethics & Values (vendor/supplier code of conduct)
  • Geopolitical risk
  • Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
  • Import/export compliance
  • Quality (ISO 9000)
  • Environmental, Health & Safety (REACH, RoHS)
  • And more . . .

GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:

“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”

Adapted from the OCEG GRC Definition

The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.

GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:

  • Anarchy – ad hoc department silos.  This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together. 
  • Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems. 

The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. 

The core elements of the third party strategic plan include:

  • Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

THIRD PARTY GRC RESEARCH

UK SMCR: A Paradigm Shift to GRC Accountability

The GRC Pundit Blog, UncategorizedPublished onUpdated onLeave a Comment on UK SMCR: A Paradigm Shift to GRC Accountability

The UK Senior Manager’s Regime and Certification Regime (UK SMCR) is a paradigm shift in regulation and accountability. In one context, I have used the analogy that it is the “One Ring” in Tolkien’s Lord of the Rings. Instead of a ring, it is the:

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

UK SMCR is a significant challenge for financial services firms. This year, the Financial Conduct Authority (FCA) is applying the regulation to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives if there is negligence or lack of due diligence in managing risk, conduct, compliance, and controls. These senior managers could go to jail or be personally fined (and their organization cannot reimburse them). It is the UK SMCR regulation that sees that other risk and compliance is properly managed across the organization. For example, Barclay’s CEO was recently fined £640,000personally under UK SMR/CR.

This is a significant shift from responsibility to accountability. The difference may seem subtle, but it is real. Accountability means . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the SureCloud site]

READ MORE

Chief Ethics & Compliance Officer: SWOT Analysis

The GRC Pundit Blog, UncategorizedPublished onUpdated onLeave a Comment on Chief Ethics & Compliance Officer: SWOT Analysis

Last week a Global CECO (manufacturing company operating in more than 60 countries with over 17,000 employees) reached out to me on a research piece I had published back in 2012 (a report I wrote for OCEG). It was a SWOT Analysis of the CECO role. This CECO asked me if I had updated this as it had provided him insight into his career and direction six years back and curious how my research and thoughts on this have changed since then. Before we get into the my current SWOT analysis on the CECO role, it is important to understand a few things happening that is shifting the role of compliance in organizations . . .

  • Compliance the Bastion of Organization Integrity. For the past fifteen years I have stated that if we could rebrand the CECO role I would advocate it to be the Chief Integrity Officer, but we already have a CIO so that most likely will not work. Integrity is the purpose and focus of compliance and ethics. This is becoming more and more apparent as the years move on and the compliance and ethics role evolves.
  • Compliance is Dealing with Lots of Change. The greatest challenge for the compliance and ethics function is keeping up with change, and then keeping all that change in sync. There is a barrage of regulatory, risk, and business change happening. Global financial services firms are dealing with 216 regulatory change events every business day (source: Thomson Reuters). Other industries are seeing a similar onslaught of evolving legislation, regulation, litigation, and enforcement actions. But the business is changing just as rapidly through shifts in strategy, employees, technology, mergers/acquisitions, and more. The challenge is keeping all that change in sync. Being intelligent about the law or regulation does not make you compliant if compliance is not operational in context of an evolving and dynamic organization.
  • Compliance Becoming an Independent Function in the Organization. There has been increased pressure for the compliance and ethics function to report outside of legal. This comes from a string of consent decrees, deferred prosecution agreements, non-prosecution agreements, corporate integrity agreements, and changes to the US Sentencing Commission Organizational Sentencing Guidelines. Compliance has the duty to discover and fix, while legal generally has the duty to deny and protect. This can be at odds with each other and a conflict. So in the slight majority of organizations we now see that the operational aspects of compliance now reports outside of legal. As a result, compliance functions are getting their own budgets and looking for improvements in compliance/ethics strategy, process, and technology to support their initiatives.
  • Compliance Accountability (more than Responsibility). Regulations like the United Kingdom’s Senior Manager’s Regime/Certification Regime (which has had a cascading impact on other jurisdictions such as Australia, Singapore, Hong Kong, Japan, Ireland) is focused on putting senior managers and executives personally accountable for compliance failures as a result of negligence or lack of due diligence. Last year, Barclay’s CEO was fined over £640,000 (nearly $900,000) under UK SMR/CR in context of a whistle blower issue. He personally had to pay this and the bank cannot reimburse them. I have likened UK SMR/CR to the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them (for all of you Tolkien fans). It is the regulation of all regulations that puts personal accountability and exposure on senior managers and executives.
  • Compliance Roles Gaining Risk Management Skills. Another paradigm shift I have been monitoring for the past twelve+ years is the dichotomic differences in compliance between the USA and much of the rest of the world. In the USA you have a very prescriptive, check-box mentality to compliance. Organizations want their checklist and if they check the checkboxes they want their get out of jail free card. This is in contrast to what we see in the UK, across Europe, and much of the rest of the world which takes a principle, or outcome-based, approach to compliance. In this approach organizations are not given a checklist, but what the expected outcomes or principles are. The way one organization achieves compliance is different from the way another organization might choose to get there. The focus is on the end results. This is requiring that compliance executives have a stronger background in risk management as they have to understand the compliance risk and choose the best approach to mitigate the risk for their particular organizations situation. As regulations are written with a cross-jurisdictional impact, like GDPR, this means that principle/outcome-based approaches are making a global impact requiring compliance executives to build strong risk management skillsets.
  • Compliance as a Federated Function. There are lots of departments of compliance – corporate compliance, HR compliance, IT compliance, quality compliance, environmental compliance, health & safety compliance. The CECO role is becoming a facilitator and leader of compliance across these departments in a federated and collaborative capacity.

SWOT Analysis of the Chief Ethics & Compliance Officer Role

SWOT Analysis is a powerful technique for identifying strengths and weaknesses, and for examining the opportunities and threats a CECO faces in managing and maintaining organization integrity and driving toward a strategy of Principled Performance®.  A SWOT analysis can help a CECO develop his or her career in a way that takes best advantage of one’s talents, abilities, and opportunities. What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities an executive can take advantage of. By understanding one’s weaknesses, an executive can manage and eliminate threats that could otherwise catch them unaware. More than this, using the SWOT framework, the CECO can start to distinguish him or herself from peers, and move quickly to develop the specialized talents and abilities needed to accelerate one’s career.

Approaching a SWOT analysis on a role/function like the CECO can be divided into:

  • Internal Qualities
    • Strengths: Your personal professional capabilities 
    • Weaknesses: Your personal professional challenges
  • External Dynamics
    • Opportunities: Organizational prospects to leverage and advance your career 
    • Threats: Organizational challenges to overcome and advance your career

Strengths: Professional Capabilities

  • Enabler & leader, that strives to enable the organization to reliably achieve objectives while addressing uncertainty and act with integrity.
  • Evangelist & visionary, that provides leadership, direction and insight for creating and protecting organization integrity, ethics, and values as well as maintain compliance with laws, regulations, policies, and procedures.
  • Energetic & engaging, with good communication skills that builds interest in better approaches to compliance management, ethics, and values throughout the organization.
  • Agile & versatile, that brings broad experience in compliance, ethics, regulatory issues, and corporate values and how they impact other business disciplines and roles.
  • Dedicated & driven, a passionate goal-oriented problem-solver that moves the enterprise forward through strong execution of finding and fixing compliance and ethical problems while enabling the business to execute on strategy in a principled manner.
  • Collaborator & facilitator, of compliance and ethics across a range of compliance functions scattered across the business and operations that acts as a partner with peers in the organization, adept at leveraging best practices and initiatives across operating units.

Weaknesses: Professional Challenges

  • Limited technical acumen, most compliance roles have grown out of legal that has often been more comfortable with documents and paper with limited understanding of how technology can make compliance more efficient, effective, and agile. When compliance executives are approached with technology they tend to find a solution to a specific problem as opposed to thinking big picture on how an integrated compliance technology architecture can provide greater contextual insight into compliance.
  • Manual processes and myopic technology, related to the limited technical acumen, this overwhelms the compliance officer and function with documents and manual processes that takes time to reconcile and report. For example, one organization was spending 200 FTE hours building a compliance report that now takes them 1 minute.
  • Project management skills are needed, compliance and ethics management has become a complex and intricate set of projects, tasks, and reports that requires compliance management to have an integrated view into compliance deadlines, resources, reports, and activities. This means that the CECO needs to have strong project management capabilities.
  • Federated facilitation experience, while the CECO role is the figure head of compliance, this role often has a limited view into the expanse of compliance across departments. The CECO role needs to be the chief herder of the compliance cats to get various fragments of compliance scattered in business operations to work together collaboratively.
  • Moving beyond checklists, the compliance function has a tendency to focus on corporate compliance checklists to find and resolve compliance issues, and now is being challenged to understand compliance risk and take on ethics, values, social responsibility, and become a champion for corporate culture.
  • Stigma of the corporate cop, the compliance role has historically been seen as a corporate cop rather than a strategic and operationally influential champion of organization integrity. This leads to a misperception of compliance being the department of NO instead of the principled enabler of ethical business.
  • Fire fighting and reactive approaches to compliance, where resources are consumed in investigations and putting out compliance fires which leaves little to no resources for proactive planning of compliance and ethics. The CECO is constantly behind in trying to keep a changing business compliant while reacting to ever-changing laws, regulations, and court and regulatory rulings.

Opportunities: Organization Prospects

  • Focus on integrity, in which the the compliance and ethics function continually assesses regulatory, ethical, and social responsibility trends to develop a full understanding of mandatory and voluntary obligations and requirements for compliance that align with the organizations values.
  • Federated Governance, Risk Management & Compliance (GRC) focus in which the CECO is part of an executive strategy to enable an organization “to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” This requires that the CECO be able to collaborate across the range of compliance areas that he or she has not typcially covered before to facillitate compliance across the organization.
  • Leverage an integrated information and technology architecture to manage the range of compliance projects, tasks, assessments, exams/audits, investigations, policies, and training. So the organization has 360° contextual intelligence on compliance. Where there is one common portal for policies and training for employees.
  • Enable the organization to be a Principled Performer to pursue competitive advantages with superior GRC capability aligned with compliance and ethics that is kept current and managed in a dynamic business, risk, and regulatory environment.
  • Improve compliance reporting to senior management and the board by integrating compliance metrics, information into existing reporting processes and forms to assist in their fiduciary obligations of oversight of compliance.
  • Build superior shareholder relations and broader stakeholder communications around ethics, values, and compliance activities.

Threats: Organization Challenges

  • Third party risk and compliance in which vendors, suppliers, outsourcers, and such expose the organization to issues of fraud, corruption, social responsibility, and compliance violations across these extended business relationships that result in reputational damage and substantial fines and penalties. Over half of insiders are not traditional employees but third parties which requires that a compliance program extend across third party relationships.
  • Keeping a changing organization in sync with changing compliance requirements, the volume of change impacting compliance is staggering. Being knowledgable at regulations and the law does not good if the organization is not operationally compliant. Keeping a dynamic business compliant with ever changing laws, regulations, and enforcement actions is a huge issue for most organizations.
  • Lack of competitive edge as competitors with more agile, effective, and efficient compliance programs outpace the organization in the market as it is encumbered with slow processes and reactive approaches. This stems from:
    • Failure to implement adequate compliance and ethics infrastructure and architecture to monitor, mitigate, and respond to compliance and conduct risk of unethical conduct.
    • Inadequate integrated GRC technology infrastructure, which reduces the quality and flow of information.
    • Siloed processes and systems causing delayed reporting and inconsistent quality and reliability of risk information.
    • Document centric approaches handicap compliance reporting and relative value to the rest of the organization.
  • Culture reinforcing compliance communication after an event or incident occurs, rather than proactively identifying potential problems before the occur.

Leveraging Data Classification to Enable GDPR/CCDP Data Subject Requests

UncategorizedPublished onUpdated onLeave a Comment on Leveraging Data Classification to Enable GDPR/CCDP Data Subject Requests

Regulatory requirements are driving organizations to clearly define processes to manage personal data requests from data subjects [1], which in turn requires clear data classification and disposition controls in the environment. Chief among these regulations is the EU Global Data Protection Regulation (GDPR) but following suit later this year is the California Consumer Privacy Act (CCPA).

A key component of these regulations, with some nuances between them, is to assure data subjects of the control, use, protection and privacy of their personal data. To do this, GDPR empowers data subjects with specific rights. These rights enable data subjects to make specific requests and be assured that their personal data is only used for approved purposes for which it was provided. They include the right to access and rectify data collected on the data subject, the right for erasure of personal data, and the right to object to the data subject’s information being used.

These data subject rights provide the foundation for GDPR and CCPA compliance and an organization, the . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the InfoGoTo site]

READ MORE